IT departments are often criticised for their remoteness from the business. One cause could be highlighted by recent research numbers from IDC, which found that as much as 70 per cent of IT time is spent on maintenance and administration, leaving only 30 per cent available to focus on innovation for the business. Internal Dell research has this even higher at 80 per cent of time being spent on updates.

As IT has become more complex and distributed, the overheads involved in keeping systems running have significantly increased. IT managers cite the time spent on updating, maintaining, and patching systems as one of their greatest overheads.

Security patching, in particular, can be a burden. Microsoft alone can release more than a dozen critical patches during its monthly "Patch Tuesday" bulletins. Then there are additional, out-of-band patches, patches from other software vendors, and updates for hardware, firmware and development systems.

Patching is a priority

Patching is critical as unpatched systems continue to represent a real security flaw in many business' networks. A study by NIST, the U.S. technology standards body, revealed that 90 per cent of successful attacks against companies exploited known vulnerabilities that could have been prevented if the systems had been correctly patched.

Patch management that is not centralised, gives rise to other issues, aside from the security risks and the time it takes up. Without the appropriate policies in place, companies run the risk of deploying untested patches that can cause problems for other applications or other areas of the IT infrastructure.

For example, an IT department that allows users to manage their own patch updates runs the risk of disrupting or breaking critical business processes with an untested patch. This is most common with highly customised applications or software written in house, however, off the shelf software is by no means immune to exposure.

Companies that do not centralise their patch management can also find that they have unnecessarily high energy bills. One of the most common reasons for not running desktop power management technology, or not instructing staff to switch off their PCs overnight is the need to install patches out of hours.

The case for patch management

As a result of these challenges, more businesses are looking at centralised systems for patch management. Patching desktop computers and servers, smartphones and tablets, and their applications Ė is too large a task to be carried out manually. Even if IT had the time to patch systems manually, automated patch management has been shown to be more reliable and more secure.

Automatic patching, for example, is designed to manage exposure to the growing number of exploits that are specifically built to take advantage of systems before they are patched or upgraded.

Although the IT security industry, rightly, focuses on "zero day" exploits that aim to make use of vulnerabilities before vendors issue a patch, in too many cases hackers and cyber-criminals are able to gain entry to unpatched systems long after the patches have been released.

Companies can cause downtime and disruption through an uncoordinated approach to patching, especially where patches are applied without testing and the necessary compatibility checks.

To minimise the risk posed by patches, companies should look at testing patches or using a patch supplier that handles testing, and quarantining the use of unpatched computers until the patches are tested.

Spotlight

By working with the DevOps team, you can ensure that the production environment is more predictable, auditable and more secure than before. The key is to integrate your security requirements into the DevOps pipeline.

A critical vulnerability in ANTlabs InnGate devices, a popular Internet gateway for visitor-based networks and commonly installed in hotels and convention centers, has been discovered. The flaw could allow an attacker to monitor or tamper with traffic to and from any hotel WiFi user's connection.

In this interview, Raj Samani, VP and CTO EMEA at Intel Security, talks about successful information security strategies aimed at the critical infrastructure, government challenges, the role of regulation, and more.